1.\" This file is distributed under the University of Illinois Open Source 2.\" License. See LICENSE.TXT for details. 3.\" $Id$ 4.Dd May 25, 2012 5.Os "clang" "3.1" 6.Dt SCAN-BUILD \&1 CLANG 7.Sh NAME 8.Nm scan-build 9.Nd Clang static analyzer 10.Sh SYNOPSIS 11.Nm 12.Op Fl ohkvV 13.Op Fl analyze-headers 14.Op Fl enable-checker Op Ar checker_name 15.Op Fl disable-checker Op Ar checker_name 16.Op Fl Fl help 17.Op Fl Fl help-checkers 18.Op Fl Fl html-title Op Ar =title 19.Op Fl Fl keep-going 20.Op Fl plist 21.Op Fl plist-html 22.Op Fl Fl status-bugs 23.Op Fl Fl use-c++ Op Ar =compiler_path 24.Op Fl Fl use-cc Op Ar =compiler_path 25.Op Fl Fl view 26.Op Fl constraints Op Ar model 27.Op Fl maxloop Ar N 28.Op Fl no-failure-reports 29.Op Fl stats 30.Op Fl store Op Ar model 31.Ar build_command 32.Op build_options 33.\" 34.\" Sh DESCRIPTION 35.Sh DESCRIPTION 36.Nm 37is a Perl script that invokes the Clang static analyzer. Options used by 38.Nm 39or by the analyzer appear first, followed by the 40.Ar build_command 41and any 42.Ar build_options 43normally used to build the target system. 44.Pp 45The static analyzer employs a long list of checking algorithms, see 46.Sx CHECKERS . 47Output can be written in standard 48.Li .plist 49and/or HTML format. 50.Pp 51The following options are supported: 52.Bl -tag -width indent 53.It Fl analyze-headers 54Also analyze functions in #included files. 55.It Fl enable-checker Ar checker_name , Fl disable-checker Ar checker_name 56Enable/disable 57.Ar checker_name . 58See 59.Sx CHECKERS . 60.It Fl h , Fl Fl help 61Display this message. 62.It Fl Fl help-checkers 63List default checkers, see 64.Sx CHECKERS . 65.It Fl Fl html-title Ns Op = Ns Ar title 66Specify the title used on generated HTML pages. 67A default title is generated if 68.Ar title 69is not specified. 70.It Fl k , Fl Fl keep-going 71Add a 72.Dq keep on going 73option to 74.Ar build_command . 75Currently supports make and xcodebuild. This is a convenience option; 76one can specify this behavior directly using build options. 77.It Fl o 78Target directory for HTML report files. Subdirectories will be 79created as needed to represent separate invocations 80of the analyzer. If this option is not specified, a directory is 81created in /tmp (TMPDIR on Mac OS X) to store the reports. 82.It Fl plist 83Output the results as a set of 84.Li .plist 85files. (By default the output of 86.Nm 87is a set of HTML files.) 88.It Fl plist-html 89Output the results as a set of HTML and .plist files 90.It Fl Fl status-bugs 91Set exit status to 1 if it found potential bugs and 0 otherwise. By 92default the exit status of 93.Nm 94is that returned by 95.Ar build_command . 96.It Fl Fl use-c++ Ns Op = Ns Ar compiler_path 97Guess the default compiler for your C++ and Objective-C++ code. Use this 98option to specify an alternate compiler. 99.It Fl Fl use-cc Ns Op = Ns Ar compiler_path 100Guess the default compiler for your C and Objective-C code. Use this 101option to specify an alternate compiler. 102.It Fl v 103Verbose output from 104.Nm 105and the analyzer. A second and 106third 107.Ar v 108increases verbosity. 109.It Fl V , Fl Fl view 110View analysis results in a web browser when the build completes. 111.It Fl constraints Op Ar model 112Specify the contraint engine used by the analyzer. By default the 113.Ql range 114model is used. Specifying 115.Ql basic 116uses a simpler, less powerful constraint model used by checker-0.160 117and earlier. 118.It Fl maxloop Ar N 119Specifiy the number of times a block can be visited before giving 120up. Default is 4. Increase for more comprehensive coverage at a 121cost of speed. 122.It Fl no-failure-reports 123Do not create a 124.Ql failures 125subdirectory that includes analyzer crash reports and preprocessed 126source files. 127.It Fl stats 128Generates visitation statistics for the project being analyzed. 129.It Fl store Op Ar model 130Specify the store model used by the analyzer. By default, the 131.Ql region 132store model is used. 133.Ql region 134specifies a field- 135sensitive store model. Users can also specify 136.Ql basic 137which is far less precise but can more quickly analyze code. 138.Ql basic 139was the default store model for checker-0.221 and earlier. 140.\" 141.El 142.Sh RETURN VALUES 143.Nm 144returns the value returned by 145.Ar build_command 146unless 147.Fl Fl status-bugs 148or 149.Fl Fl keep-going 150is used. 151.\" 152.\" Other sections not yet used ... 153.\" .Sh ENVIRONMENT 154.\" .Sh FILES 155.\" .Sh DIAGNOSTICS 156.\" .Sh COMPATIBILITY 157.\" .Sh HISTORY 158.\" .Sh BUGS 159.\" 160.Sh CHECKERS 161The checkers listed below may be enabled/disabled using the 162.Fl enable-checker 163and 164.Fl disable-checker 165options. 166A default group of checkers is run unless explicitly disabled. 167Exactly which checkers constitute the default group is a function 168of the operating system in use; they are listed with 169.Fl Fl help-checkers . 170.Bl -tag -width indent. 171.It core.AdjustedReturnValue 172Check to see if the return value of a function call is different than 173the caller expects (e.g., from calls through function pointers). 174.It core.AttributeNonNull 175Check for null pointers passed as arguments to a function whose arguments are marked with the 176.Ql nonnull 177attribute. 178.It core.CallAndMessage 179Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers). 180.It core.DivideZero 181Check for division by zero. 182.It core.NullDereference 183Check for dereferences of null pointers. 184.It core.StackAddressEscape 185Check that addresses to stack memory do not escape the function. 186.It core.UndefinedBinaryOperatorResult 187Check for undefined results of binary operators. 188.It core.VLASize 189Check for declarations of VLA of undefined or zero size. 190.It core.builtin.BuiltinFunctions 191Evaluate compiler builtin functions, e.g. 192.Fn alloca . 193.It core.builtin.NoReturnFunctions 194Evaluate 195.Ql panic 196functions that are known to not return to the caller. 197.It core.uninitialized.ArraySubscript 198Check for uninitialized values used as array subscripts. 199.It core.uninitialized.Assign 200Check for assigning uninitialized values. 201.It core.uninitialized.Branch 202Check for uninitialized values used as branch conditions. 203.It core.uninitialized.CapturedBlockVariable 204Check for blocks that capture uninitialized values. 205.It core.uninitialized.UndefReturn 206Check for uninitialized values being returned to the caller. 207.It deadcode.DeadStores 208Check for values stored to variables that are never read afterwards. 209.It debug.DumpCFG 210Display Control-Flow Graphs. 211.It debug.DumpCallGraph 212Display Call Graph. 213.It debug.DumpDominators 214Print the dominance tree for a given Control-Flow Graph. 215.It debug.DumpLiveVars 216Print results of live variable analysis. 217.It debug.Stats 218Emit warnings with analyzer statistics. 219.It debug.TaintTest 220Mark tainted symbols as such. 221.It debug.ViewCFG 222View Control-Flow Graphs using 223.Ic GraphViz . 224.It debug.ViewCallGraph 225View Call Graph using 226.Ic GraphViz . 227.It llvm.Conventions 228Check code for LLVM codebase conventions. 229.It osx.API 230Check for proper uses of various Mac OS X APIs. 231.It osx.AtomicCAS 232Evaluate calls to 233.Vt OSAtomic 234functions. 235.It osx.SecKeychainAPI 236Check for proper uses of Secure Keychain APIs. 237.It osx.cocoa.AtSync 238Check for null pointers used as mutexes for @synchronized. 239.It osx.cocoa.ClassRelease 240Check for sending 241.Ql retain , 242.Ql release, 243or 244.Ql autorelease 245directly to a Class. 246.It osx.cocoa.IncompatibleMethodTypes 247Warn about Objective-C method signatures with type incompatibilities. 248.It osx.cocoa.NSAutoreleasePool 249Warn for suboptimal uses of 250.Vt NSAutoreleasePool 251in Objective-C GC mode. 252.It osx.cocoa.NSError 253Check usage of NSError** parameters. 254.It osx.cocoa.NilArg 255Check for prohibited nil arguments to Objective-C method calls. 256.It osx.cocoa.RetainCount 257Check for leaks and improper reference count management. 258.It osx.cocoa.SelfInit 259Check that 260.Ql self 261is properly initialized inside an initializer method. 262.It osx.cocoa.UnusedIvars 263Warn about private ivars that are never used. 264.It osx.cocoa.VariadicMethodTypes 265Check for passing non-Objective-C types to variadic methods that expect only Objective-C types. 266.It osx.coreFoundation.CFError 267Check usage of CFErrorRef* parameters. 268.It osx.coreFoundation.CFNumber 269Check for proper uses of 270.Fn CFNumberCreate . 271.It osx.coreFoundation.CFRetainRelease 272Check for null arguments to 273.Fn CFRetain 274and 275.Fn CFRelease . 276.It osx.coreFoundation.containers.OutOfBounds 277Checks for index out-of-bounds when using the 278.Vt CFArray 279API. 280.It osx.coreFoundation.containers.PointerSizedValues 281Warns if 282.Vt CFArray , 283.Vt CFDictionary , 284or 285.Vt CFSet 286are created with non-pointer-size values. 287.It security.FloatLoopCounter 288Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP). 289.It security.insecureAPI.UncheckedReturn 290Warn on uses of functions whose return values must be always checked. 291.It security.insecureAPI.getpw 292Warn on uses of 293.Fn getpw . 294.It security.insecureAPI.gets 295Warn on uses of 296.Fn gets . 297.It security.insecureAPI.mkstemp 298Warn when 299.Fn mkstemp 300is passed fewer than 6 X's in the format string. 301.It security.insecureAPI.mktemp 302Warn on uses of 303.Fn mktemp . 304.It security.insecureAPI.rand 305Warn on uses of 306.Fn rand , 307.Fn random , 308and related functions. 309.It security.insecureAPI.strcpy 310Warn on uses of 311.Fn strcpy 312and 313.Fn strcat . 314.It security.insecureAPI.vfork 315Warn on uses of 316.Fn vfork . 317.It unix.API 318Check calls to various UNIX/Posix functions. 319.It unix.Malloc 320Check for memory leaks, double free, and use-after-free. 321.It unix.cstring.BadSizeArg 322Check the size argument passed into C string functions for common 323erroneous patterns. 324.It unix.cstring.NullArg 325Check for null pointers being passed as arguments to C string functions. 326.El 327.\" 328.Sh EXAMPLE 329.Ic scan-build -o /tmp/myhtmldir make -j4 330.Pp 331The above example causes analysis reports to be deposited into 332a subdirectory of 333.Pa /tmp/myhtmldir 334and to run 335.Ic make 336with the 337.Fl j4 338option. 339A different subdirectory is created each time 340.Nm 341analyzes a project. 342The analyzer should support most parallel builds, but not distributed builds. 343.Sh AUTHORS 344.Nm 345was written by 346.An "Ted Kremenek" . 347Documentation contributed by 348.An "James K. Lowden" Aq jklowden@schemamania.org . 349